Abstract
On the evening of 2 November 1988, someone infected the Internet with a worm program. That program exploited flaws in utility programs in systems based on BSD-derived versions of UNIX. The flaws allowed the program to break into those machines and copy itself, thus infecting those systems. This program eventually spread to thousands of machines, and disrupted normal activities and Internet connectivity for many days.This report gives a detailed description of the components of the worm program---data and functions. It is based on study of two completely independent reverse-compilations of the worm and a version disassembled to VAX assembly language. Almost no source code is given in the paper because of current concerns about the state of the "immune system" of Internet hosts, but the description should be detailed enough to allow the reader to understand the behavior of the program.The paper contains a review of the security flaws exploited by the worm program, and gives some recommendations on how to eliminate or mitigate their future use. The report also includes an analysis of the coding style and methods used by the author(s) of the worm, and draws some conclusions about his abilities and intent.
- Allm83. Allman, Eric, Sendmail--An Internetwork Mail Router, University of California, Berkeley, 1983. Issued with the BSD UNIX documentation set.Google Scholar
- Brun75. Brunner, John, The Shockwave Rider, Harper & Row, 1975. Google ScholarDigital Library
- Cohe84. Cohen, Fred, "Computer Viruses: Theory and Experiments," PROCEEDINGS OF THE 7TH NATIONAL COMPUTER SECURITY CONFERENCE, pp. 240-263, 1984. Google ScholarDigital Library
- Denn88. Denning, Peter J., "Computer Viruses," AMERICAN SCIENTIST, vol. 76, pp. 236-238, May-June 1988.Google Scholar
- Dewd85. Dewdney, A. K., "A Core War Bestiary of viruses, worms, and other threats to computer memories," SCIENTIFIC AMERICAN, vol. 252, no. 3, pp. 14-23, May 1985.Google ScholarCross Ref
- Gerr72. Gerrold, David, When Harlie Was One, Ballentine Books, 1972. The first edition.Google Scholar
- Gram84. Grampp, Fred. T. and Robert H. Morris, "UNIX Operating System Security," AT&T BELL LABORATORIES TECHNICAL JOURNAL, vol. 63, no. 8, part 2, pp. 1649-1672, Oct. 1984.Google ScholarCross Ref
- Harr77. Harrenstien, K., "Name/Finger," RFC 742, SRI Network Information Center, December 1977.Google Scholar
- Morr79. Morris, Robert and Ken Thompson, "UNIX Password Security," COMMUNICATIONS OF THE ACM, vol. 22, no. 11, pp. 594-597, ACM, November 1979. Google ScholarDigital Library
- Post82. Postel, Jonathan B., "Simple Mail Transfer Protocol," RFC 821, SRI Network Information Center, August 1982. Google ScholarDigital Library
- Reid87. Reid, Brian, "Reflections on Some Recent Widespread Computer Breakins," COMMUNICATIONS OF THE ACM, vol. 30, no. 2, pp. 103-105, ACM, February 1987. Google ScholarDigital Library
- Ritc79. Ritchie, Dennis M., "On the Security of UNIX," in UNIX SUPPLEMENTARY DOCUMENTS, AT & T, 1979.Google Scholar
- Seel89. Seeley, Donn, "A Tour of the Worm," PROCEEDINGS OF 1989 WINTER USENIX CONFERENCE , Usenix Association, San Diego, CA, February 1989.Google Scholar
- Shoc82. Shoch, John F. and Jon A. Hupp, "The Worm Programs -- Early Experience with a Distributed Computation," COMMUNICATIONS OF THE ACM, vol. 25, no. 3, pp. 172-180, ACM, March 1982. Google ScholarDigital Library
Index Terms
- The internet worm program: an analysis
Recommendations
WORM vs. WORM: preliminary study of an active counter-attack mechanism
WORM '04: Proceedings of the 2004 ACM workshop on Rapid malcodeSelf-propagating computer worms have been terrorizing the Internet for the last several years. With the increasing density, inter-connectivity and bandwidth of the Internet combined with security measures that inadequately scale, worms will continue to ...
A smart IDS and response system for the internet malicious worm
In this paper, we proposed a behaviour-based intrusion detection and response system for the internet worm. The LAWS (Lambent Anti-Worm System) can detect the intruded services and influenced range automatically. Besides, it also can analyse the key ...
Pulse quarantine strategy of internet worm propagation: Modeling and analysis
Worms can spread throughout the Internet very quickly and are a great security threat. Constant quarantine strategy is a defensive measure against worms, but its reliability in current imperfect intrusion detection systems is poor. A pulse quarantine ...
Comments